"""CMS 医院管理员 - 人员管理（用户范围）测试：CMS-HUSER-1~3。

医院管理员只能管理本院的医生/学生；机构强制本院、角色受限。
"""
from rest_framework.test import APIClient

from apps.user.models import User
from .conftest import CacheTestCase, create_test_user, get_auth_client, ensure_institution

CMS_USER_URL = '/api/cms/users/'


def u_detail(pk):
    return f'/api/cms/users/{pk}/'


class HospitalAdminUserScopeTest(CacheTestCase):
    def setUp(self):
        super().setUp()
        self.inst = ensure_institution(name='本院', code='HU-A')
        self.other = ensure_institution(name='他院', code='HU-B')
        self.admin = create_test_user(phone='13931000001', role_type='hospital_admin',
                                      institution=self.inst)
        self.client = get_auth_client(self.admin)
        # 本院医生、学生；他院学生
        self.doc = create_test_user(phone='13931000002', role_type='doctor', institution=self.inst)
        self.stu = create_test_user(phone='13931000003', role_type='student', institution=self.inst)
        self.other_stu = create_test_user(phone='13931000004', role_type='student', institution=self.other)

    def test_list_scoped_to_own_doctor_student(self):
        resp = self.client.get(CMS_USER_URL)
        self.assertEqual(resp.status_code, 200, resp.content)
        ids = {u['id'] for u in resp.json()['results']}
        self.assertIn(self.doc.id, ids)
        self.assertIn(self.stu.id, ids)
        self.assertNotIn(self.other_stu.id, ids)   # 他院不可见
        self.assertNotIn(self.admin.id, ids)        # 医院管理员自己(role=hospital_admin)不在 doctor/student 范围

    def test_create_forces_own_institution(self):
        # 传了他院机构，仍落本院
        resp = self.client.post(CMS_USER_URL, {
            'phone': '13931000010', 'real_name': '新医生', 'role_type': 'doctor',
            'institution': self.other.id,
        })
        self.assertEqual(resp.status_code, 201, resp.content)
        u = User.objects.get(phone='13931000010')
        self.assertEqual(u.institution_id, self.inst.id)   # 强制本院

    def test_create_content_admin_allowed(self):
        # 医院管理员可给本院授予内容管理员权限
        resp = self.client.post(CMS_USER_URL, {
            'phone': '13931000011', 'real_name': '内容员', 'role_type': 'content_admin',
        })
        self.assertEqual(resp.status_code, 201, resp.content)
        u = User.objects.get(phone='13931000011')
        self.assertEqual(u.role_type, 'content_admin')
        self.assertEqual(u.institution_id, self.inst.id)   # 强制本院

    def test_create_role_restricted(self):
        # 医院管理员不能建 hospital_admin / super_admin
        for role in ('hospital_admin', 'super_admin'):
            resp = self.client.post(CMS_USER_URL, {
                'phone': '13931000012', 'real_name': 'x', 'role_type': role,
            })
            self.assertEqual(resp.status_code, 403, f'{role}: {resp.content}')
            self.assertEqual(resp.json()['code'], 'CMS_ROLE_NOT_ALLOWED')

    def test_cannot_touch_other_institution_user(self):
        # 他院学生不在 queryset → 404
        self.assertEqual(self.client.get(u_detail(self.other_stu.id)).status_code, 404)
        self.assertEqual(self.client.delete(u_detail(self.other_stu.id)).status_code, 404)

    def test_soft_delete_own_student(self):
        resp = self.client.delete(u_detail(self.stu.id))
        self.assertEqual(resp.status_code, 204, resp.content)
        self.assertFalse(User.objects.filter(id=self.stu.id).exists())

    def test_reset_password_own(self):
        resp = self.client.post(f'/api/cms/users/{self.doc.id}/reset-password/', {})
        self.assertEqual(resp.status_code, 200, resp.content)
        self.assertEqual(resp.json()['password'], 'Pass13931000002')

    def test_filter_by_role(self):
        # 医生管理页 ?role_type=doctor
        resp = self.client.get(CMS_USER_URL, {'role_type': 'doctor'})
        self.assertEqual(resp.status_code, 200)
        roles = {u['role_type'] for u in resp.json()['results']}
        self.assertEqual(roles, {'doctor'})